Beware the next circle of hell: Unpatchable systems

Microsoft's decision to end support for Windows XP in April was met with a collective gulp by the IT community. For good reason: Approximately 30 percent of all desktop systems continue to run XP despite Microsoft's decision to stop offering security updates. Furthermore, a critical security flaw in Internet Explorer 8 disclosed recently by HP's TippingPoint Division opens the door to remote attacks on XP systems that use IE8.

But Windows XP is just the tip of an ever-widening iceberg: software and hardware that is unpatchable and unsupportable -- by policy or design. In fact, the trend toward systems and devices that, once deployed, stubbornly "keep on ticking" regardless of the wishes of those who deploy them is fast becoming an IT security nightmare made real, affecting everything from mom-and-pop shops to power stations.

This unpatchable hell is a problem with many fathers, from recalcitrant vendors to customers wary of -- or hostile to -- change. But with the number and diversity of connected endpoints expected to skyrocket in the next decade, radical measures are fast becoming necessary to ensure that today's "smart" devices and embedded systems don't haunt us for years down the line.

Trouble close to homeThe problem of unsupported or undersupported devices hits close to home for millions of broadband users in the United States and Europe. Broadband routers humming away peacefully in attics and home offices have become the latest targets of sophisticated cyber criminal groups.

That attack followed a similar incident in which compromised home routers were used in attacks on online banking customers in Poland and the appearance, in February, of a virus dubbed "The Moon," which spreads between Linksys E-Series home routers, exploiting an authentication bypass vulnerability in the systems.

Worse, these attacks relied on the same set of problems common to embedded systems: poor (or "commodity") engineering, insecure default settings, the use of hard-coded (permanent) "backdoor" accounts, and a lack of sophistication on the part of device owners, Team Cymru reported.

"As embedded systems begin to proliferate in both corporate and consumer networks, greater attention needs to be given to what vulnerabilities these devices introduce," Team Cymru concluded in its report. "Security for these devices is typically a secondary concern to cost and usability, and has traditionally been overlooked by both manufacturers and consumers."

A green light for attacksBeyond traditional IT, the problems are even worse. Embedded systems are proliferating in nearly every corner of daily life. But even large-volume vendors pushing the hardware to consumers and businesses are often heedless of the need to manage the underlying software, says Cesar Cerrudo, CTO of security firm IOActive Labs.

Worse, these customers often defer to the hardware vendors on matters relating to security or conclude (wrongly) that embedded systems are too obscure to warrant protection, Cerrudo says.

The opposite is true. In its research, IOActive has uncovered the routine use of insecure or hidden protocols, backdoor administrative accounts with hard-coded credentials that cannot be changed, and vulnerable user authentication features.

For industrial control systems, customer trust in unsupported and unsupportable embedded devices is a disaster in waiting. In one recent example, Cerrudo and his colleagues investigated the security of in-pavement wireless vehicle detection technology made by Sensys Networks. The technology has been deployed in 40 U.S. cities, including Washington, New York, Los Angeles, and San Francisco.

They discovered a wide range of design faults and insecurities in the Sensys products. Notably, the in-road sensors did not secure communications with access points used to collect data. That would allow a knowledgeable attacker to spoof the sensors and send bogus data to traffic management systems or to take control of critical infrastructure such as traffic lights.

Presented with IOActive's findings, Sensys Networks told Cerrudo that more recent releases of the company's hardware had fixed some of the prominent software vulnerabilities he had discovered. The problem: There is no way to update the hardware.

"Vendors will try to sell you on it being easy to use and low maintenance," Cerrudo says. "The problem is that when the system has a security issue, you don't have the proper mechanism to update them."

When security is absent from the design of the device, there are few options for securing it after the fact, short of replacing the hardware and software entirely, Cerrudo says.

Insecure by designIndustrial control systems too are being targeted by attacks, thanks to security problems stemming from embedded devices and other legacy hardware.

One example: The Department of Homeland Security's Industrial Control System CERT (ICS-CERT) recently issued an alert about a "sophisticated attack" on an "unprotected, Internet-connected, control system operating a mechanical device" by manipulating a SCADA protocol. "The device was directly Internet accessible and was not protected by a firewall or authentication access controls," ICS-CERT wrote.

Dale Peterson, CEO of Digital Bond, a consulting firm that works with industrial control system vendors and critical infrastructure operators alike, says exhorting infrastructure operators to patch misses the bigger point: Many industrial control systems and protocols are "insecure by design."

"An attacker with ICS knowledge would use the features rather than an unpatched [vulnerability] to compromise the system," Peterson says.

Of course, not all IT systems are the same. Security experts agree there are scenarios in which a lower level of security is acceptable.

Perry Pederson, a principal at The Langner Group, says those customers who have taken steps to harden and isolate systems should be more confident that they are protected. However, it is harder than ever for companies to know for sure that air-gapped systems aren't accessible from the Internet or an adjacent network. Critical infrastructure vendors and operators often rely on cellular networks and wireless technology to remotely manage their infrastructure.

This presents a tremendous convenience, but customers and vendors often fail to comprehend the risks that go along with that convenience. The result has been the increasing exposure of systems that were long viewed as unreachable, thereby surfacing security failings not considered meaningful enough to address when those systems were designed.

Future shockIf security issues around unmanageable devices look bad now, the near future is even worse.

The computing landscape 10 years out will be vastly different than it is today, thanks to growing adoption of portable, sensor-rich, Internet-connected devices -- the so-called Internet of things. Many of those devices will operate outside of traditional IT environments.

As opposed to computing environments of the past two decades, these will not be technology monocultures; Microsoft dropping support for an operating system like XP will matter a lot less. But a different kind of monoculture is emerging in its place: one of commodity hardware -- the inexpensive processors, controllers, and sensors already in use by everyone from Fortune 100 manufacturers to crowdfunded "smart device" entrepreneurs.

Speaking at a recent conference in Cambridge, Mass., Dan Geer, Chief Information Security Officer of In-Q-Tel, the Central Intelligence Agency's investment arm, warned that the proliferation of smart, embedded devices that are both long lived and unmanageable creates the conditions for massive disruption if flaws and other exploitable vulnerabilities in common components used across commercial environments and critical infrastructure lead to what he terms "common mode" failures and crippling cyber attacks.

"That combination -- long lived and not reachable -- is the trend that must be dealt with, possibly even reversed," Geer told an audience at The Security of Things Forum.

What is the proper response? Security experts say there is no quick fix. Consultants such as Digital Bond's Peterson work with infrastructure operators to understand their vulnerabilities and take reasonable measures to secure their IT environments from likely attacks. But with so many legacy systems that are so lacking in basic security features, the risk of compromise is always there.

Geer has proposed a number of possible, long-term solutions, from mandating the implementation of remote management and update features in embedded systems at the "national policy" level to the use of programmed "self-destruct" mechanisms that would disable devices "by some predictable age."

IOActive's Cerrudo says cultural changes are needed within the firms that make the products. Developers and engineers need to adopt a security mind-set, while vendors that haven't traditionally had to deal with attacks on their products need to take their cue from software firms like Microsoft and Adobe: instituting a system for fielding and responding to reports of security holes in their products, then issuing fixes to customers.

The stakes are high. Cerrudo and Geer both note that the days of hacks, malware, and other problems being limited to our desktops at home and work are ending -- fast.

"All these new technologies are impacting our daily lives," Cerrudo says. "When these devices are hacked or compromised, it will impact the way we live."

Full disclosure: The author organized The Security of Things Forum where In-Q-Tel CISO Dan Geer made his remarks quoted here.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.